Are there cyber warfare rules of engagement? New techniques, but the old rules may still apply

Are there cyber warfare rules of engagement? New techniques, but the old rules may still apply

My former colleague Bill Brenner stirred up some interesting reaction to his recent posting about engaging in cyber warfare, “Iran deserves the malware, but expect a backlash.” It's the right time for this discussion. Folks in the security industry — and I include myself — tend to get so immersed in the what and how of Flame, Stuxnet and Duqu (the "oh, wow" factor) that we often forget to discuss the real-world implications of crafting and using malware for sabotage and espionage.

Let’s dwell on the words for a moment: Sabotage and espionage.

Stuxnet was a remarkable piece of weaponized malware, designed for the sole purpose of sabotaging the centrifuges used in Iran’s uranium enrichment program. Stuxnet was a true technical marvel, with four zero-day exploits for embedding and spreading itself in Iran’s Natanz facility’s control systems, combined with intrigue worthy of a John Le Carré novel in getting it into the plant’s isolated network.

Flame is a remarkably complex and flexible malware toolkit designed to conduct digital spying, from information theft and destruction to eavesdropping on audio and IM chats. It uses up to 20 modules when fully deployed, depending, one supposes, on what was needed to get the job done. Its use was apparently undetected for years. If its run is over, it had a very good run. It is, as I wrote recently, spyware that is truly worthy of the name.

So what are we talking about? Sabotage and espionage. Whether an individual, group or nation “deserves” to be the target of sabotage and/or espionage is pretty much a matter of point of view, isn’t it? This kind of spy vs. spy stuff is well understood, and the justifications, and all the means vs. the ends debate is fully engaged when we are talking about: wiretaps and audio enhancements for eavesdropping; stealing files and taking pictures of secret blueprints with tiny cameras, and, yes, deciding to blow stuff up.

Cyber warfare is not truly a new frontier in terms of national policy. It is not breaking new ground in terms of who we spy on and why we spy on them, or don’t. It is not breaking new ground in terms of who or what we sabotage, or why we commit sabotage, or don’t. It is new in terms of techniques that do not require risking assets (read, “people”) as much as conventional methods. From an espionage perspective, it is highly efficient and highly flexible; it is clearly (or at least, has been) highly successful at remaining covert. As sabotage, it allows us to destroy what we consider a threat to our national interest without sending in bombers or troops, or covertly using explosives. It is not so costly in human lives and suffering.

But it is, after all, just the new frontier in espionage and sabotage techniques. Responding to Brenner’s post, “this type of action by one government against another constitutes an act of war.” Perhaps, but that depends on how the other side reacts: Whether they regard it as an attack that requires retaliation or just another act played out between nations in the theater of espionage and counter-espionage. What you can or cannot do is a technical question. What you should or should not do is a political and ethical one.